WiRouterKeyRec: divide-by-zero in agpf_get_serial (agpf.c)

Description:
WiRouterKeyRec is a recovery tool for wpa passphrase.

A crafted AGPF config causes a divide-by-zero in agpf_get_serial.

The complete ASan output:

WiRouterKeyRec --config crash.agpf -s Alice-48230959  

WiRouter KeyRec 1.1.2 - (C) 2011 Salvatore Fresta
http://www.salvatorefresta.net

ASAN:DEADLYSIGNAL
=================================================================
==27225==ERROR: AddressSanitizer: FPE on unknown address 0x0000005019fc (pc 0x0000005019fc bp 0x7fffe1f6fbe0 sp 0x7fffe1f6fa00 T0)
    #0 0x5019fb in agpf_get_serial /tmp/portage/app-crypt/WiRouterKeyRec-1.1.2/work/WiRouter_KeyRec_1.1.2/src/agpf.c:445:20
    #1 0x5019fb in agpf_get_config /tmp/portage/app-crypt/WiRouterKeyRec-1.1.2/work/WiRouter_KeyRec_1.1.2/src/agpf.c:355                                                                       
    #2 0x4f510f in wr_get_keys /tmp/portage/app-crypt/WiRouterKeyRec-1.1.2/work/WiRouter_KeyRec_1.1.2/src/wirouterkeyrec.c:480:28                                                              
    #3 0x4f2238 in main /tmp/portage/app-crypt/WiRouterKeyRec-1.1.2/work/WiRouter_KeyRec_1.1.2/src/wirouterkeyrec.c:307:18                                                                     
    #4 0x7fdbc7f6161f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                        
    #5 0x418c28 in getenv (/usr/bin/WiRouterKeyRec+0x418c28)                                                                                                                                   
                                                                                                                                                                                               
AddressSanitizer can not provide additional info.                                                                                                                                              
SUMMARY: AddressSanitizer: FPE /tmp/portage/app-crypt/WiRouterKeyRec-1.1.2/work/WiRouter_KeyRec_1.1.2/src/agpf.c:445:20 in agpf_get_serial                                                     
==27225==ABORTING

Affected version:
1.1.2

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-08-04: bug discovered
2016-08-05: bug reported to upstream
2016-08-05: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

WiRouterKeyRec: divide-by-zero in agpf_get_serial (agpf.c)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.